Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HDFS Ranger plugin policies are not working as expected (Possible Kerberos problem)

avatar
Explorer

We have a cloudera cluster version 3.1, fully kerberized.

 

We have ranger with HDFS, Hive, HBASE, among other plugins active.

 

All of the sudden, the HBASE service gets stopped after saying that the Ambari Metrics user does not have permissions under /apps/hbase/*. We have the ranger policy in HDFS where the user has read, write, execute permissions in the mentioned paths. Yet we see in the Ranger audit page the denial, but after HDP ACL rule, not Ranger rule.

 

I did the plugin deactivation and activation, I checked as well the plugins sync time, and the rules in place @ the hbase server servers (all looks ok)

 

We have another cluster with same configuration, that is working perfectly fine.

 

Any idea, where to look at? I have the feeling that the problem is coming with Kerberos, but I don´t see any "evident" issue.

 

Thanks!

3 REPLIES 3

avatar
Contributor

i got same the error.

avatar
Expert Contributor

Hi @josr89 you need to look at name node logs for the ranger plugin sync up, basically every service runs a ranger policy refresher which will sync the policies from the ranger, it's kind of a pull architecture, services will pull policies from ranger and store them in its cache. So try looking at Name node logs and search for ranger refresher logs that should give you some idea.

avatar
Master Collaborator

To troubleshoot the issue of ranger policies not getting synced, you can check the following log files in HDFS:

1. ranger_admin.log: This log file contains the logs related to the Ranger Admin service. It can be found in the Ranger Admin node at the location: `/var/log/ranger/ranger-admin`.

2. ranger_admin_audit.log: This log file contains the logs for auditing actions performed by Ranger Admin. It can be found at the same location as ranger_admin.log.=

3. hdfs.log: This log file contains the logs for HDFS operations. It can be found in the Hadoop log folder, which is usually located at: `/var/log/hadoop/hdfs` or `/var/log/hadoop-hdfs`